ReplacePath has 502 Bad Gateway and does not reach uptream service in certain cases

Traefik Traefik v3 (latest)
, ,
1

I have a kubernetes upstream service that logs any incoming request before handling it.

I have a ingress route defined to reach this service. It passes two middlewares:

  • an external authentication service (works fine)
  • a replace path middleware.

Without the replace path middleware, i reach the upstream service fine. But when i add the replace path middleware with certain paths I sometimes get 502 Bad Gateway. The request does not reach the backend service, so the problem is traefik.

For example: when replacing the path with “/test” or “/example”, the service is reached. When replacing it with “/” or “/result” the server is not reached and i get 502 Bad Gateway. The service is not the one responding with 502 Bad Gateway!

The authentication middleware:

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: >
      {"apiVersion":"traefik.io/v1alpha1","kind":"Middleware","metadata":{"annotations":{},"name":"ingress-uma","namespace":"aggregator-app"},"spec":{"forwardAuth":{"address":"http://ingress-uma.aggregator-app.svc.cluster.local/authorize","authResponseHeaders":["Authorization"],"trustForwardHeader":true}}}
  creationTimestamp: '2025-12-10T11:16:53Z'
  generation: 1
  managedFields:
    - apiVersion: traefik.io/v1alpha1
      fieldsType: FieldsV1
      fieldsV1:
        f:metadata:
          f:annotations:
            .: {}
            f:kubectl.kubernetes.io/last-applied-configuration: {}
        f:spec:
          .: {}
          f:forwardAuth:
            .: {}
            f:address: {}
            f:authResponseHeaders: {}
            f:trustForwardHeader: {}
      manager: kubectl-client-side-apply
      operation: Update
      time: '2025-12-10T11:16:53Z'
  name: ingress-uma
  namespace: aggregator-app
  resourceVersion: '257620'
  uid: 24be3dce-56f1-4c99-b11b-39d74d77337f
spec:
  forwardAuth:
    address: http://ingress-uma.aggregator-app.svc.cluster.local/authorize
    authResponseHeaders:
      - Authorization
    trustForwardHeader: true

The rewrite middleware(s):

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: replace-path
  namespace: aggregator-app
spec:
  replacePath:
    path: "/example" # works fine, "/" or "/result" does not work

The ingress route:

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  creationTimestamp: '2025-12-10T11:17:49Z'
  generation: 1
  managedFields:
    - apiVersion: traefik.io/v1alpha1
      fieldsType: FieldsV1
      fieldsV1:
        f:spec:
          .: {}
          f:entryPoints: {}
          f:routes: {}
      manager: aggregator
      operation: Update
      time: '2025-12-10T11:17:49Z'
  name: 10142777-32d6-4907-8c4b-753d0ef04e28-comunica-ingressroute
  namespace: 10142777-32d6-4907-8c4b-753d0ef04e28
  resourceVersion: '257799'
  uid: 8abe6ee6-6bb7-40e5-8112-daa7ff73f041
spec:
  entryPoints:
    - web
  routes:
    - kind: Rule
      match: >-
        Host(`aggregator.local`) &&
        PathPrefix(`/actors/10142777-32d6-4907-8c4b-753d0ef04e28/comunica`)
      middlewares:
        - name: ingress-uma
          namespace: aggregator-app
        - name: replace-path
          namespace: aggregator-app
      services:
        - name: comunica-service
          namespace: 10142777-32d6-4907-8c4b-753d0ef04e28
          port: 8080
2

When using Docker, the "Bad Gateway" error usually happens when Traefik does not know which Docker network (of multiple) to use. It works and next request it doesn’t work. Not sure if it’s similar for k8s.